[Ksummit-2013-discuss] [ARM ATTEND] Trustzone-based security solution for ARM Linux
Barry Song
21cnbao at gmail.com
Thu Aug 15 03:45:13 EDT 2013
2013/8/15 Jassi Brar <jassisinghbrar at gmail.com>:
> On Thu, Aug 15, 2013 at 9:58 AM, Greg KH <greg at kroah.com> wrote:
>> On Thu, Aug 15, 2013 at 11:44:30AM +0800, Barry Song wrote:
>>> For the moment, there is strong markting requirement from
>>> IVI(In-Vehicle Infotainment) or mobile to use ARM Trustzone. We take
>>> IVI as an example, Auto requires security enviorment to access CAN bus
>>> and other car busses. Auto requires security enviorment to show
>>> rearview/surround view from cameras and play alert audio. on the other
>>> hand, IVI system is generically working as a video streaming sink and
>>> HDMI sink instead of a source. To support HDCP and widevine, we need
>>> to make sure private keys and video buffers are only visible to
>>> security mode. With CAN stack, video playback backend and more tasks,
>>> generically it requires a multi-task RTOS running in security mode
>>> parallel with Linux in non-security mode.
>>>
>>> Linux is a generic purpose OS with UI and all kinds of software, but
>>> we need to make sure even the Linux is ROOTed, RTOS in security mode
>>> is still active. We are able to find some opensource projects like
>>> SafeG[1], Multivisor[2], SierraVisor[3], but it turns out that ARM
>>> Linux has no rich support for this kind of architecture:
>>> 1. hypervisor running in monitor mode
>>> 2. RTOS running in security mode
>>> 3. Linux running in non-security mode
>>
>> "Linux" is just a kernel, not a whole operating system :)
>>
>> Anyway, why can't Linux be the RTOS kernel as well? What are the
>> requirements for that kernel that Linux does not currently meet?
we will run rtos+linux instead of linux+linux. typically, Auto
industry has long history to use rtos. on the other hand, we need to
boot the rtos very fast in hundreds of milliseconds to make sure
rearview, early audio have been ready.
>>
> Yes, in fact at least during development Linux usually runs in Secure mode.
> Ideally I would love to see 2 instances of Linux running - one in
> NonSecure mode and another in Secure mode, getting capabilities via 2
> corresponding DTBs reflecting the h/w partitioning done by the TZ.
not real. i think there are similar users in linux already. at least
omap and exynos have some chip specific codes like omap-smc.S,
sleep34xx.S, exynos-smc.S and so on.
and i have explained why we don't use linux+linux.
>
>>
>>> 3. as some CPU time is stolen by security mode, so the scheduler need
>>> to get this for load balance
>>
>> Does the kernel know this time is gone? Or is it not aware of it (like
>> MSIs on x86?)
>>
> The TrustedOS could share time on the same cpu as the UnTrustedOS or
> be assigned a dedicated cpu on an MP.
no. TrustedOS will not hold a whole CPU and we don't put a whole core
to RTOS as it has low CPU loading.
Linux need to know how much time has been taken by TrustOS for every
core, and do load balance considering stolen time by TrustOS.
>
> cheers.
> -jassi
-barry
More information about the linux-arm-kernel
mailing list